activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dejan Bosanac <de...@nighttale.net>
Subject Re: XSS in Web interface
Date Wed, 06 Apr 2011 08:27:55 GMT
Hi Javier,

ActiveMQ admin console (/admin) has been protected from XSS (see
https://issues.apache.org/jira/browse/AMQ-2625 for more info). I guess camel
web console needs some work in that area (all contributions are welcomed).

The thing is that broker installations are usually not publicly deployed, so
these web pages are not accessible. However, you can additionally secure the
access to them (
http://activemq.apache.org/web-console.html#WebConsole-SecuringWebConsole).
Also, if you don't need camel web console, you can disable it in the
production environment.



Regards
-- 
Dejan Bosanac - http://twitter.com/dejanb
-----------------
The experts in open source integration and messaging - http://fusesource.com
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net

Connect at CamelOne <http://camelone.com/> May 24-26

The Open Source Integration Conference



On Tue, Apr 5, 2011 at 6:10 PM, Javier Godinez <godinezj@gmail.com> wrote:

> ActiveMQ Developers,
>
> A quick question regarding cross-site script vulnerabilities in the web
> interface. Is the Web interface intended to be accessible during
> production,
> or is that simply used during development? If it is intended to be used in
> production, is there a reason for the lack of input filtering (html) in
> places such as the /camel/endpoints (uri field). I am tasked with assessing
> the security of an ActiveMQ deployment, are there any best practices
> guidelines that you could link me to?
>
>
> Thanks,
> Javier
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message